Skip to content

[Bugfix] Revert the removal of winlog.event_data fields #14756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 30, 2025
Merged

[Bugfix] Revert the removal of winlog.event_data fields #14756

merged 5 commits into from
Jul 30, 2025

Conversation

@w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jul 30, 2025
edited by andrewkroh
Loading

Proposed commit message

Revert the preserve_duplicate_custom_fields change from #14756 because it
causes unintended breaking changes to existing installations by removing
winlog.event_data fields that previously existed by default. As a secondary
effect, this leads to false positives in some detection rules that use those
fields as exclusions.

Summary

Revert the removal of winlog.event_data fields. These are used in detection rules because they’re more reliable and more likely to be populated correctly across different versions of the Windows and System integrations, as well as Winlogbeat.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@w0rk3r w0rk3r marked this pull request as ready for review July 30, 2025 22:16
@w0rk3r w0rk3r requested review from a team as code owners July 30, 2025 22:16
@w0rk3r w0rk3r changed the title [Draft] Revert the removal of winlog.event_data fields [Bugfix] Revert the removal of winlog.event_data fields Jul 30, 2025
@w0rk3r w0rk3r requested a review from andrewkroh July 30, 2025 22:20
@w0rk3r w0rk3r self-assigned this Jul 30, 2025
@w0rk3r w0rk3r added Integration:system System bugfix Pull request that fixes a bug issue labels Jul 30, 2025
@andrewkroh andrewkroh mentioned this pull request Jul 30, 2025
Merged
4 tasks
andrewkroh
andrewkroh approved these changes Jul 30, 2025
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM assuming the CI goes 🍏 .

Thanks.

@andrewkroh andrewkroh added the Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] label Jul 30, 2025
@elasticmachine
Copy link

elasticmachine commented Jul 30, 2025

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@andrewkroh andrewkroh requested a review from a team July 30, 2025 22:40
@andrewkroh andrewkroh enabled auto-merge (squash) July 30, 2025 22:44
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 30, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Jul 30, 2025

💚 Build Succeeded

cc @w0rk3r

@andrewkroh andrewkroh merged commit 59bed8e into main Jul 30, 2025
7 checks passed
@andrewkroh andrewkroh deleted the dont_drop branch July 30, 2025 23:02
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jul 30, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 30, 2025

Package system - 2.5.2 containing this change is available at https://epr.elastic.co/package/system/2.5.2/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@w0rk3r w0rk3r

Labels

bugfix Pull request that fixes a bug issue Integration:system System Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@w0rk3r @elasticmachine @andrewkroh